Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 3. Signing a kernel and modules for Secure Boot

Enhance system security by using signed kernels and modules. On UEFI systems with Secure Boot, you can self-sign custom kernel builds or kernel modules, and import public keys to target systems. Secure Boot requires signing the boot loader, kernel, and all kernel modules to ensure a successful boot process.

RHEL 8 includes:

  • Signed boot loaders
  • Signed kernels
  • Signed kernel modules

In addition, the signed first-stage boot loader and the signed kernel include embedded Red Hat public keys. These signed executable binaries and embedded keys enable RHEL 8 to install, boot, and run with the Microsoft UEFI Secure Boot Certification Authority keys. These keys are provided by the UEFI firmware on systems that support UEFI Secure Boot.

Note
  • Not all UEFI-based systems include support for Secure Boot.
  • The build system, where you build and sign your kernel module, does not need to have UEFI Secure Boot enabled and does not even need to be a UEFI-based system.

3.1. Prerequisites
Copier lien

  • To be able to sign externally built kernel modules, install the utilities from the following packages: 

    # yum install pesign openssl kernel-devel mokutil keyutils
    Copy to Clipboard Toggle word wrap
    Expand
    Table 3.1. Required utilities
    UtilityProvided by packageUsed onPurpose

    efikeygen

    pesign

    Build system

    Generates public and private X.509 key pair

    openssl

    openssl

    Build system

    Exports the unencrypted private key

    sign-file

    kernel-devel

    Build system

    Executable file used to sign a kernel module with the private key

    mokutil

    mokutil

    Target system

    Optional utility used to manually enroll the public key

    keyctl

    keyutils

    Target system

    Optional utility used to display public keys in the system keyring

3.2. What is UEFI Secure Boot
Copier lien

With the Unified Extensible Firmware Interface (UEFI) Secure Boot technology, you can prevent the execution of the kernel-space code that is not signed by a trusted key. The system boot loader is signed with a cryptographic key. The database of public keys in the firmware authorizes the process of signing the key. You can subsequently verify a signature in the next-stage boot loader and the kernel.

UEFI Secure Boot establishes a chain of trust from the firmware to the signed drivers and kernel modules as follows:

  • An UEFI private key signs, and a public key authenticates the shim first-stage boot loader. A certificate authority (CA) in turn signs the public key. The CA is stored in the firmware database.
  • The shim file contains the Red Hat public key Red Hat Secure Boot (CA key 1) to authenticate the GRUB boot loader and the kernel.
  • The kernel in turn contains public keys to authenticate drivers and modules.

Secure Boot is the boot path validation component of the UEFI specification. The specification defines:

  • Programming interface for cryptographically protected UEFI variables in non-volatile storage.
  • Storing the trusted X.509 root certificates in UEFI variables.
  • Validation of UEFI applications such as boot loaders and drivers.
  • Procedures to revoke known-bad certificates and application hashes.

UEFI Secure Boot helps in the detection of unauthorized changes but does not:

  • Prevent installation or removal of second-stage boot loaders.
  • Require explicit user confirmation of such changes.
  • Stop boot path manipulations. Signatures are verified during booting but, not when the boot loader is installed or updated.

If the boot loader or the kernel are not signed by a system trusted key, Secure Boot prevents them from starting.

3.3. UEFI Secure Boot support
Copier lien

You can install and run RHEL 8 on systems with UEFI Secure Boot enabled if a trusted key signs the kernel and all loaded drivers. Red Hat provides signed and authenticated kernels and drivers. You must sign externally built kernels or drivers before loading them.

Restrictions imposed by UEFI Secure Boot

  • The system only runs the kernel-mode code after its signature has been properly authenticated.
  • GRUB module loading is disabled because no infrastructure exists for signing and verification of GRUB modules. Allowing module loading would run untrusted code within the security perimeter defined by Secure Boot.
  • Red Hat provides a signed GRUB binary that has all supported modules on RHEL 8.

When loading a kernel module, the kernel verifies its signature against public X.509 keys in the system (.builtin_trusted_keys) and platform (.platform) keyrings. Keys in the .blacklist keyring are explicitly excluded from verification.

You need to meet certain conditions to load kernel modules on systems with enabled UEFI Secure Boot functionality:

  • If UEFI Secure Boot is enabled or if the module.sig_enforce kernel parameter has been specified:

    • You can only load those signed kernel modules whose signatures were authenticated against keys from the system keyring (.builtin_trusted_keys) and the platform keyring (.platform).
    • The public key must not be on the system revoked keys keyring (.blacklist).

  • If UEFI Secure Boot is disabled and the module.sig_enforce kernel parameter has not been specified:

    • You can load unsigned kernel modules and signed kernel modules without a public key.

  • If the system is not UEFI-based or if UEFI Secure Boot is disabled:

    • Only the keys embedded in the kernel are loaded onto .builtin_trusted_keys and .platform.
    • You have no ability to augment that set of keys without rebuilding the kernel.
Expand
Table 3.2. Kernel module authentication requirements for loading
Module signedPublic key found and signature validUEFI Secure Boot statesig_enforceModule loadKernel tainted

Unsigned

-

Not enabled

Not enabled

Succeeds

Yes

Not enabled

Enabled

Fails

-

Enabled

-

Fails

-

Signed

No

Not enabled

Not enabled

Succeeds

Yes

Not enabled

Enabled

Fails

-

Enabled

-

Fails

-

Signed

Yes

Not enabled

Not enabled

Succeeds

No

Not enabled

Enabled

Succeeds

No

Enabled

-

Succeeds

No

3.5. Sources for public keys
Copier lien

During boot, the kernel loads X.509 keys from a set of persistent key stores into the following keyrings:

  • The system keyring (.builtin_trusted_keys)
  • The .platform keyring
  • The system .blacklist keyring
Expand
Table 3.3. Sources for system keyrings
Source of X.509 keysUser can add keysUEFI Secure Boot stateKeys loaded during boot

Embedded in kernel

No

-

.builtin_trusted_keys

UEFI db

Limited

Not enabled

No

Enabled

.platform

Embedded in the shim boot loader

No

Not enabled

No

Enabled

.platform

Machine Owner Key (MOK) list

Yes

Not enabled

No

Enabled

.platform

.builtin_trusted_keys
  • A keyring that is built on boot.
  • Provides trusted public keys.
  • root privileges are required to view the keys.
.platform
  • A keyring that is built on boot.
  • Provides keys from third-party platform providers and custom public keys.
  • root privileges are required to view the keys.
.blacklist
  • A keyring with X.509 keys which have been revoked.
  • A module signed by a key from .blacklist will fail authentication even if your public key is in .builtin_trusted_keys.
UEFI Secure Boot db
  • A signature database.
  • Stores keys (hashes) of UEFI applications, UEFI drivers, and boot loaders.
  • The keys can be loaded on the machine.
UEFI Secure Boot dbx
  • A revoked signature database.
  • Prevents keys from getting loaded.
  • The revoked keys from this database are added to the .blacklist keyring.

3.6. Generating a public and private key pair
Copier lien

Generate an X.509 key pair to use custom kernels or modules on Secure Boot systems. Use the private key to sign your binaries, and enroll the public key in the Machine Owner Key (MOK) list to validate and authorize them for boot.

Warning

Apply strong security measures and access policies to guard the contents of your private key. In the wrong hands, the key could be used to compromise any system which is authenticated by the corresponding public key.

Procedure

  • Create an X.509 public and private key pair:

    • If you only want to sign custom kernel modules: 

      # efikeygen --dbdir /etc/pki/pesign \
            --self-sign \
            --module \
            --common-name 'CN=Organization signing key' \
            --nickname 'Custom Secure Boot key'
      Copy to Clipboard Toggle word wrap

    • If you want to sign custom kernel: 

      # efikeygen --dbdir /etc/pki/pesign \
            --self-sign \
            --kernel \
            --common-name 'CN=Organization signing key' \
            --nickname 'Custom Secure Boot key'
      Copy to Clipboard Toggle word wrap

    • When the RHEL system is running FIPS mode: 

      # efikeygen --dbdir /etc/pki/pesign \
            --self-sign \
            --kernel \
            --common-name 'CN=Organization signing key' \
            --nickname 'Custom Secure Boot key'
            --token 'NSS FIPS 140-2 Certificate DB'
      Copy to Clipboard Toggle word wrap
      Note

      In FIPS mode, you must use the --token option so that efikeygen finds the default "NSS Certificate DB" token in the PKI database.

      The public and private keys are now stored in the /etc/pki/pesign/ directory.

Important

It is a good security practice to sign the kernel and the kernel modules within the validity period of its signing key. However, the sign-file utility does not warn you and the key will be usable in RHEL 8 regardless of the validity dates.

3.7. Example output of system keyrings
Copier lien

You can display information about the keys on the system keyrings using the keyctl utility from the keyutils package.

Prerequisites

  • You have root permissions.
  • You have installed the keyctl utility from the keyutils package.

Example 3.1. Keyrings output

The following is a shortened example output of .builtin_trusted_keys, .platform, and .blacklist keyrings from a RHEL 8 system where UEFI Secure Boot is enabled. 

# keyctl list %:.builtin_trusted_keys
6 keys in keyring:
...asymmetric: Red Hat Enterprise Linux Driver Update Program (key 3): bf57f3e87...
...asymmetric: Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29...
...asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed...
...asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e...
...asymmetric: Red Hat Enterprise Linux kernel signing key: 4249689eefc77e95880b...
...asymmetric: Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b7...

# keyctl list %:.platform
4 keys in keyring:
...asymmetric: VMware, Inc.: 4ad8da0472073...
...asymmetric: Red Hat Secure Boot CA 5: cc6fafe72...
...asymmetric: Microsoft Windows Production PCA 2011: a929f298e1...
...asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4e0bd82...

# keyctl list %:.blacklist
4 keys in keyring:
...blacklist: bin:f5ff83a...
...blacklist: bin:0dfdbec...
...blacklist: bin:38f1d22...
...blacklist: bin:51f831f...
Copy to Clipboard Toggle word wrap

The .builtin_trusted_keys keyring in the example shows the addition of two keys from the UEFI Secure Boot db keys as well as the Red Hat Secure Boot (CA key 1), which is embedded in the shim boot loader.

Example 3.2. Kernel console output

The following example shows the kernel console output. The messages identify the keys with an UEFI Secure Boot related source. These include UEFI Secure Boot db, embedded shim, and MOK list. 

# dmesg | egrep 'integrity.*cert'
[1.512966] integrity: Loading X.509 certificate: UEFI:db
[1.513027] integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a929023...
[1.513028] integrity: Loading X.509 certificate: UEFI:db
[1.513057] integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309...
[1.513298] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[1.513549] integrity: Loaded X.509 cert 'Red Hat Secure Boot CA 5: cc6fa5e72868ba494e93...
Copy to Clipboard Toggle word wrap

Authenticate kernel module access by enrolling your public key in the target system’s platform keyring (.platform). Using the Machine Owner Key (MOK) facility, you can expand the UEFI Secure Boot key database to include custom keys for persistent authentication across reboots.

The MOK facility is supported by shim, MokManager, GRUB, and the mokutil utility that enables secure key management and authentication for UEFI-based systems.

Note

To get the authentication service of your kernel module on your systems, consider requesting your system vendor to incorporate your public key into the UEFI Secure Boot key database in their factory firmware image.

Prerequisites

Procedure

  1. Export your public key to the sb_cert.cer file: 

    # certutil -d /etc/pki/pesign \
           -n 'Custom Secure Boot key' \
           -Lr \
           > sb_cert.cer
    Copy to Clipboard Toggle word wrap

  2. Import your public key into the MOK list: 

    # mokutil --import sb_cert.cer
    Copy to Clipboard Toggle word wrap
  3. Enter a new password for this MOK enrollment request.

  4. Reboot the machine.

    The shim boot loader notices the pending MOK key enrollment request and it launches MokManager.efi to enable you to complete the enrollment from the UEFI console.

  5. Choose Enroll MOK, enter the password you previously associated with this request when prompted, and confirm the enrollment.

    Your public key is added to the MOK list, which is persistent.

    Once a key is on the MOK list, it will be automatically propagated to the .platform keyring on this and subsequent boots when UEFI Secure Boot is enabled.

3.9. Signing a kernel with the private key
Copier lien

You can obtain enhanced security benefits on your system by loading a signed kernel if the UEFI Secure Boot mechanism is enabled.

Prerequisites

Procedure

  • On the x64 architecture:

    1. Create a signed image: 

      # pesign --certificate 'Custom Secure Boot key' \
         --in vmlinuz-version \
         --sign \
         --out vmlinuz-version.signed
      Copy to Clipboard Toggle word wrap

      Replace version with the version suffix of your vmlinuz file, and Custom Secure Boot key with the name that you chose earlier.

    2. Optional: Check the signatures: 

      # pesign --show-signature \
         --in vmlinuz-version.signed
      Copy to Clipboard Toggle word wrap

    3. Overwrite the unsigned image with the signed image: 

      # mv vmlinuz-version.signed vmlinuz-version
      Copy to Clipboard Toggle word wrap

  • On the 64-bit ARM architecture:

    1. Decompress the vmlinuz file: 

      # zcat vmlinuz-version > vmlinux-version
      Copy to Clipboard Toggle word wrap

    2. Create a signed image: 

      # pesign --certificate 'Custom Secure Boot key' \
         --in vmlinux-version \
         --sign \
         --out vmlinux-version.signed
      Copy to Clipboard Toggle word wrap

    3. Optional: Check the signatures: 

      # pesign --show-signature \
         --in vmlinux-version.signed
      Copy to Clipboard Toggle word wrap

    4. Compress the vmlinux file: 

      # gzip --to-stdout vmlinux-version.signed > vmlinuz-version
      Copy to Clipboard Toggle word wrap

    5. Remove the uncompressed vmlinux file: 

      # rm vmlinux-version*
      Copy to Clipboard Toggle word wrap

3.10. Signing a GRUB build with the private key
Copier lien

On a system where the UEFI Secure Boot mechanism is enabled, you can sign a GRUB build with a custom existing private key. You must do this if you are using a custom GRUB build, or if you have removed the Microsoft trust anchor from your system.

Prerequisites

Procedure

  • On the x64 architecture:

    1. Create a signed GRUB EFI binary: 

      # pesign --in /boot/efi/EFI/redhat/grubx64.efi \
         --out /boot/efi/EFI/redhat/grubx64.efi.signed \
         --certificate 'Custom Secure Boot key' \
         --sign
      Copy to Clipboard Toggle word wrap

      Replace Custom Secure Boot key with the name that you chose earlier.

    2. Optional: Check the signatures: 

      # pesign --in /boot/efi/EFI/redhat/grubx64.efi.signed \
         --show-signature
      Copy to Clipboard Toggle word wrap

    3. Overwrite the unsigned binary with the signed binary: 

      # mv /boot/efi/EFI/redhat/grubx64.efi.signed \
     /boot/efi/EFI/redhat/grubx64.efi
      Copy to Clipboard Toggle word wrap

  • On the 64-bit ARM architecture:

    1. Create a signed GRUB EFI binary: 

      # pesign --in /boot/efi/EFI/redhat/grubaa64.efi \
         --out /boot/efi/EFI/redhat/grubaa64.efi.signed \
         --certificate 'Custom Secure Boot key' \
         --sign
      Copy to Clipboard Toggle word wrap

      Replace Custom Secure Boot key with the name that you chose earlier.

    2. Optional: Check the signatures: 

      # pesign --in /boot/efi/EFI/redhat/grubaa64.efi.signed \
         --show-signature
      Copy to Clipboard Toggle word wrap

    3. Overwrite the unsigned binary with the signed binary: 

      # mv /boot/efi/EFI/redhat/grubaa64.efi.signed \
     /boot/efi/EFI/redhat/grubaa64.efi
      Copy to Clipboard Toggle word wrap

3.11. Signing kernel modules with the private key
Copier lien

Load signed kernel modules to enhance system security when UEFI Secure Boot is active.

Your signed kernel module is also loadable on systems where UEFI Secure Boot is disabled or on a non-UEFI system. As a result, you do not need to provide both, a signed and unsigned version of your kernel module.

Prerequisites

Procedure

  1. Export your public key to the sb_cert.cer file: 

    # certutil -d /etc/pki/pesign \
           -n 'Custom Secure Boot key' \
           -Lr \
           > sb_cert.cer
    Copy to Clipboard Toggle word wrap

  2. Extract the key from the NSS database as a PKCS #12 file: 

    # pk12util -o sb_cert.p12 \
           -n 'Custom Secure Boot key' \
           -d /etc/pki/pesign
    Copy to Clipboard Toggle word wrap
  3. When the previous command prompts, enter a new password that encrypts the private key.

  4. Export the unencrypted private key: 

    # openssl pkcs12 \
         -in sb_cert.p12 \
         -out sb_cert.priv \
         -nocerts \
         -nodes
    Copy to Clipboard Toggle word wrap
    Important

    Keep the unencrypted private key secure.

  5. Sign your kernel module. The following command appends the signature directly to the ELF image in your kernel module file: 

    # /usr/src/kernels/$(uname -r)/scripts/sign-file \
          sha256 \
          sb_cert.priv \
          sb_cert.cer \
          my_module.ko
    Copy to Clipboard Toggle word wrap

Your kernel module is now ready for loading.

Important

In RHEL 8, the validity dates of the key pair matter. The key does not expire, but the kernel module must be signed within the validity period of its signing key. The sign-file utility will not warn you of this. For example, a key that is only valid in 2019 can be used to authenticate a kernel module signed in 2019 with that key. However, users cannot use that key to sign a kernel module in 2020.

Verification

  1. Display information about the kernel module’s signature: 

    # modinfo my_module.ko | grep signer
    Copy to Clipboard Toggle word wrap 
    signer:         Your Name Key
    Copy to Clipboard Toggle word wrap

    Check that the signature lists your name as entered during generation.

    Note

    The appended signature is not contained in an ELF image section and is not a formal part of the ELF image. Therefore, utilities such as readelf cannot display the signature on your kernel module.

  2. Load the module: 

    # insmod my_module.ko
    Copy to Clipboard Toggle word wrap

  3. Remove (unload) the module: 

    # modprobe -r my_module.ko
    Copy to Clipboard Toggle word wrap

3.12. Loading signed kernel modules
Copier lien

After enrolling your public key in the system keyring (.builtin_trusted_keys) and the MOK list, and signing kernel modules with your private key, you can load them using the modprobe command.

Prerequisites

Procedure

  1. Verify that your public keys are on the system keyring: 

    # keyctl list %:.platform
    Copy to Clipboard Toggle word wrap

  2. Copy the kernel module into the extra/ directory of the kernel that you want: 

    # cp my_module.ko /lib/modules/$(uname -r)/extra/
    Copy to Clipboard Toggle word wrap

  3. Update the modular dependency list: 

    # depmod -a
    Copy to Clipboard Toggle word wrap

  4. Load the kernel module: 

    # modprobe -v my_module
    Copy to Clipboard Toggle word wrap

  5. Optional: To load the module on boot, add it to the /etc/modules-loaded.d/my_module.conf file: 

    # echo "my_module" > /etc/modules-load.d/my_module.conf
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the module was successfully loaded: 

    # lsmod | grep my_module
    Copy to Clipboard Toggle word wrap
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat